1 / 28

Dive into RFC 2574

Dive into RFC 2574. User-based Security Model (USM) for the SNMP-v3. SNMP-v3 Sasan Adibi. Threats Limited protection provided for:. Modification of Information Masquerade - False pretend of unauthorized users

pilis
Download Presentation

Dive into RFC 2574

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Dive into RFC 2574 User-based Security Model (USM) for the SNMP-v3 SNMP-v3 Sasan Adibi

  2. ThreatsLimited protection provided for: • Modification of Information • Masquerade - False pretend of unauthorized users • Disclosure - Eavesdropping on the exchange between managed agents and managed station. • Message Stream Modification – Danger of the message being re-ordered, delayed, or replayed by unauthorized management stations SNMP-v3 Sasan Adibi

  3. Threats Cont.No protection against: • Denial of Service • Traffic Analysis SNMP-v3 Sasan Adibi

  4. SNMP-v3 Sasan Adibi Goals • Verify that each received SNMP message has not been modified during its transmission through the network. • Verify the identity of the user on whose behalf a received SNMP message claims to have been generated. • Detect the received SNMP messages, which request or contain management information, whose time of generation was not recent. • Provide, when necessary, that the contents of each received SNMP message are protected from disclosure.

  5. Constraints • When the requirements of effective management in times of network stress are inconsistent with those of security, the design should prefer the former • Neither the security protocol nor its underlying security mechanisms should depend upon the ready availability of other network services (e.g., Network Time Protocol (NTP) or key management protocols) • A security mechanism should entail no changes to the basic SNMP network management philosophy SNMP-v3 Sasan Adibi

  6. Security Services • Data Integrity • Data Origin Authentication • Data Confidentiality • Message timeliness and limited replay protection SNMP-v3 Sasan Adibi

  7. SNMP-v3 Sasan Adibi Why Use SNMP-v3 • Authentication • HMAC-MD5-96, or SHA authentication • Password must be greater than 8 characters including spaces • Privacy • Packet data may now be DES encrypted (additional encryptions) • CBC-DES Symmetric Encryption Protocol • Allows for unique Privacy password • Inform Traps • Old style trap was "throw-n-pray" over UDP • v2 Inform trap is over TCP and requires a response • Traps may also have Authentication and Privacy passwords • Security Structures • User / Scope / ACL all may have independent AuthPriv structures

  8. Authoritative and Non-authoritative Engines • In any message one of the transmitter/receiver SNMP entities is designated as the Authoritative SNMP engine • When a message expects a response, the receiver of such messages is authoritative • When no response is expected the sender is authoritative • This serves two purposes • Timeliness of message determined with clock of authoritative engine • Key localization process SNMP-v3 Sasan Adibi

  9. SNMP-v3 Sasan Adibi Protocol context of SNMP

  10. SNMPv3 Architecture • SNMPv3 architecture (RFC 2571) consists of a distributed collection of SNMP entities communicating together • Each SNMP entity may act as manager, agent, or combination • SNMP Engine - Implements functions for: • sending and receiving messages • Authenticating and encrypting/decrypting messages • Controlling access to managed objects SNMP-v3 Sasan Adibi

  11. SNMP Engine Modules • Modular nature means that upgrades to individual modules can be made without redoing the architecture • Modules: • Dispatcher - • Message Processing Subsystem • Security Subsystem • Access Control Subsystem SNMP-v3 Sasan Adibi

  12. SNMP Manager SNMP-v3 Sasan Adibi

  13. SNMP Agent SNMP-v3 Sasan Adibi

  14. SNMP Engine Modules: Dispatcher • Dispatcher is a simple traffic manager • On incoming messages • It accepts incoming messages from the transport layer • Routes each message to the appropriate message processing module • When the message processing completes the Dispatcher sends the PDU to the appropriate application • On outgoing messages • It accepts PDUs from Application layer • Sends to Message processing subsystem • Sends to Transport layer SNMP-v3 Sasan Adibi

  15. SNMP Engine Modules: Dispatcher • Dispatcher Submodules • PDU Dispatcher – sends/accepts Protocol Data Units (PDUs) to/from SNMP applications • Message Dispatcher – transmits to/from message processing subsystem • Transport Mapping – sends/receives transport layer packets SNMP-v3 Sasan Adibi

  16. Message Processing Module • Accepts outgoing PDUs from dispatcher • Passes message to the security subsytem • Wraps the result with the appropriate header • Sends back to the dispatcher • On incoming PDUs • Accepts messages from the dispatcher • Processes the headers • Possibly sending to Security Subsystem for authenitication and decryption and • Returns the enclosed PDU to the dispatcher SNMP-v3 Sasan Adibi

  17. Security and Access Control Modules • Security modules • User-based Security Model (USM) • Other security models allowed for but not yet. • Access Control Modules • View-based access control model (VACM) • Others allowed SNMP-v3 Sasan Adibi

  18. SNMP-v3 Sasan Adibi SNMPv3 Terminology • snmpEngineId – unique ID to engine (Octet string) • contextEngineId – unique ID to SNMP entity • contextName – identifies particular context within SNMP Engine • scopedPDU – block including: contextEngineId, contextName and an SNMP PDU • snmpMessageProcessingModel – unique identifier • snmpSecurityModel – integer indicating whether authentication and/or encryption are required • principal – the entity for “Whom the Bell Tolls” • securityName – string representation of the principal

  19. SNMP-v3 Sasan Adibi SNMPv3 Applications • Command generator applications • Makes use of sendPdu primitive • Dispatcher  Message Processing  Security subsytem • Finally  UDP • and later the processResponse dispatcher primitive handles the response • Notification originator/receiver applications • Operates similarly sending a notification • Command Responder applications use primitives • RegisterContextEngineID – here is my ID (unregister also) • processPDU • returnRespnsePDU • isAccessAllowed (Access Control Subsystem primitive) • Proxy forwarder application

  20. Message Processing Model • RFC 2572 defines the message processing model • The model on outgoing messages • Accepts PDUs from the dispatcher • Encapsulates them in messages • Invokes the user Security Model (USM) to insert security related parameters in the headers • On incoming • Invokes the user Security Model (USM) process the security related parameters in the header • Delivers encapsulated PDU back to dispatcher • SNMP message first five fields SNMP-v3 Sasan Adibi

  21. SNMP-v3 Sasan Adibi SNMP3 Message Format with USM

  22. USM Timeliness Mechanisms • Non authoritative engine maintains copies of • snmpEngineBoots = number of times rebooted since originally configured 0 to 231 • snmpEngineTime • latestReceived EngineTime • USM update conditions • USM update rule • Message judged to be outside window … SNMP-v3 Sasan Adibi

  23. Key Localization Process SNMP-v3 Sasan Adibi

  24. SNMPv3 RFCs SNMP-v3 Sasan Adibi

  25. SNMP-v3 Strength • Widespread Support • SNMP agents available for many network deviced (hosts, routers, switches, bridges, modems, printers, etc.) • Flexible and Extensible • SNMP agents can be extended to cover device-specific data • Clear mechanism for upgrading • Additional interoperability via proxies SNMP-v3 Sasan Adibi

  26. SNMP-v3 Weaknesses • SNMP is not really “simple” • Complicated protocol to implement • Complex encoding rules • SNMP is not an efficient protocol • Bandwidth wasted with useless information • Inefficiencies of ASN.1 with respect to compactness • SNMP lacking in security • Lack of privacy or strong authentication • Offered in SNMP-v3, but SNMP-v1 still widely used • Limits utility for monitoring remote networks SNMP-v3 Sasan Adibi

  27. SNMP Weaknesses Cont. • Latency can be high in SNMP • Request-response protocol, leading to a delay between time of request and time of response • Typically small in a LAN, but potentially a problem in a WAN SNMP-v3 Sasan Adibi

  28. THANK YOU SNMP-v3 Sasan Adibi

More Related